This content originally appeared on DEV Community and was authored by Samuel Adeduntan
Finding, exploiting, and extracting database information through SQL Injection (SQLi) vulnerabilities in the search and login features is the goal.
I successfully conducted a security assessment on the purposefully weak website testphp.vulnweb.com, which is documented in this article. Finding vulnerabilities in SQL Injection, a serious web application security vulnerability, was the main goal of the evaluation. To validate my suspicions, I started with manual testing before using automated tools to further attack the system. The following were the main findings:
- Vulnerability Verified: It was discovered that the artists.php page's artist parameter was extremely vulnerable to SQL injection.
- Automated Exploitation Obstacles: Connection resets initially prevented direct automation with sqlmap against the search page, indicating a simple defensive mechanism.
- Successful Login Bypass: A successful login bypass and database enumeration resulted from the main vulnerability being eventually exploited through the login form (login.php) using a captured request with sqlmap.
- Data Extraction: From the Acuart database, I was able to correctly extract the table names, database schema, and private user information.
This exercise emphasizes how crucial parameterized queries and strong input validation are to web development.
Target analysis and reconnaissance
It is essential to comprehend the target before engaging in any exploitation. I started by looking at the layout of the website.
Step 1: **
**Manual Browsing: I located and browsed the pages of http://testphp.vulnweb.com/. With artist lists, a user login, and a search function, the website functions as a prototype art gallery.
*Finding Attack Surfaces in Step Two: * I concentrated on two essential interactive components that frequently communicate with a backend database:
I used the search function at artists.php?artist=1. An ideal candidate for testing is the artist parameter, which is supplied directly in the URL (a GET request).
The login portal is accessible via login.php. This form uses a POST request, another well-known SQLi attack vector, to obtain a username (uname) and password (pass).
Manual Testing and Identification of Vulnerabilities
Before using automated tools, I always want to begin with manual testing to learn how the application behaves.
Step 1: **
**Artist Parameter Testing
At http://testphp.vulnweb.com/artists.php?artist=1, I loaded the page. Details for artist ID 1 were shown.
Logic Manipulation Test: I modified the URL to: http://testphp.vulnweb.com/artists.php?artist=1' OR 1=1 --
- ' : This single quote is intended to break the original SQL query syntax.
- OR 1=1 : This condition always evaluates to TRUE, potentially manipulating the query's WHERE clause.
- -- : This is the SQL comment operator. It nullifies any remaining part of the original query, preventing syntax errors from our injected code.
*Observation: *
An error about SQL syntax was returned by the application. An error confirms the vulnerability by showing that user input is being concatenated into the SQL query without enough sanitization, even if it is not a guarantee of an injection point.
Automated Exploitation (First Attempt) Using Sqlmap
After confirming manually, I used sqlmap to automate the exploitation and data extraction procedure. With manual confirmation, I proceeded to automate the exploitation and data extraction process using sqlmap.
Step 1: Database Enumeration (Failed Attempt):
"http://testphp.vulnweb.com/artists.php?artist=1" is the command to run. --batch --dbs
Intention: To retrieve all possible database names (--dbs), this command tells sqlmap to test the artist argument and automatically respond "yes" to all prompts (--batch).
Finding: Recurrent "connection reset" issues caused the gadget to malfunction. This implied that the tool's aggressive payloads were being recognized and dropped by the server or a network device, which was functioning as a rudimentary intrusion prevention system or Web Application Firewall (WAF).
The output of the first sqlmap command is displayed in the Kali Linux terminal, emphasizing the [CRITICAL] connection reset problems.
The goal is to illustrate a typical automated testing challenge and the necessity of evasion strategies.
Step 2: Overcoming Fundamental Defenses (Achieved Attempt):
I have to make the demands seem more authentic in order to get around this. I used two standard methods:
Sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" is the updated command. --delay 1 --dbs --batch --random-agent
As a result, this strategy worked. In order to verify the presence of a database called acuart, sqlmap located the vulnerability and obtained the database names.
Step 3: Examine the Database in Depth:
I then concentrated on mapping the structure of the Acuart database.
sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" is used to enumerate tables. Delay 1 -D acuart --tables --batch --random-agent
Finding: A prospective users table was among the tables that the tool listed.
Exploiting the Login Form
I also targeted the login form, a high-value target for attackers seeking unauthorized access.
Step 1: Manual Testing:
I tried classic payloads like admin' -- and 1' OR 1=1 -- in the username field. The application did not grant access but also did not throw a detailed error, suggesting different handling than the search page.
Step 2: Capturing the Request with Burp Suite:
I used Burp Suite as a proxy to intercept the HTTP POST request sent when clicking the "Login" button. This allowed me to see the raw request being sent to the server.
The Burp Suite Proxy > Intercept tab, showing the intercepted POST request to /login.php with the parameters uname=test&pass=test.
Conclusion
This evaluation of a test environment gave a clear and practical representation of a real-world SQL injection attack flow.
SQLi's Evergreen Threat: Despite being well-known for decades, SQLi is still a viable attack vector, particularly against programs that ignore basic security concepts like input validation and prepared statements.
The Advantages of Manual Testing: A mere single quote (') can expose a serious flaw. Manual testing provides insights into an application's behavior that pure automation cannot.
Automation is a Force Multiplier: While manual testing identifies flaws, tools like sqlmap are critical for swiftly exploiting them and exfiltrating massive amounts of data.
Bypassing Simple Defenses: Defensive mechanisms such as connection throttling or simple WAF rules are frequently overcome utilizing tactics such as random user-agents and delays, stressing the importance of defense-in-depth.
The Importance of Secure Coding: The main reason of this vulnerability is the concatenation of user input directly into SQL queries. The only robust option is to employ parameterized queries (prepared statements) throughout the application.
This exercise was carried out with a legally permitted objective for educational reasons. Before testing any website or program, always obtain explicit consent.
This content originally appeared on DEV Community and was authored by Samuel Adeduntan
Samuel Adeduntan | Sciencx (2025-08-28T23:00:39+00:00) A Technical Deep Dive: Exploiting SQL Injection Vulnerabilities. Retrieved from https://www.scien.cx/2025/08/28/a-technical-deep-dive-exploiting-sql-injection-vulnerabilities/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.